Stupid Security Measures: autocomplete=off – How To Turn Off or Disable
While I’m all for some browser related security, this one feature is completely asinine because it’s so unpredictable, uncontrollable and stupidly implemented. This is the complete opposite anyone should expect from a quality user experience. Let’s explore.
What is auto-completion?
Most browsers today will automatically fill forms and password fields from locally saved browser login and password information (usually the field is yellow when automatically filled). This is called autofill or autocompletion. While I admit that storing passwords inside a browser is not the smartest of ideas, specifically if it happens to be connected to your bank account. With that said, it is my choice. Let me emphasize this again loudly. Saving passwords IS MY CHOICE! Sorry for yelling, but some people just don’t listen or get this… hello Chrome, Firefox and IE, you guys (especially Chrome) need to take notes here.
So what’s this autocomplete=off business?
As a result of autocompletion, the browser creators have decided to give web site creators the ability to disable this mechanism from within their own web pages. So, when they create forms, they can add the tag “autocomplete=off” to the form which prevents the browser from storing (or offering to store) passwords or other sensitive information. This is fine if the browser would give the user the choice still. It doesn’t.
I’m fine with browsers trying to prevent stupid behavior from users, but always provide an override. Never implement features like this, however, at the expense of a frustrating and inconsistent browser experience. This is exactly what autocomplete=off does. Why? The browser doesn’t give the user control over this web page mechanism nor does it even warn of it. If the site sets this flag on their form, the browser won’t offer to store anything dealing with this form. That’s fine IF I can disable this behavior in the browser. I can’t. As I so loudly said above, this is MY choice. Make this a preference. If I want to store logins and passwords for any site on the Internet, it’s my choice. This is not Chrome’s choice or Wells Fargo’s choice or any other site’s choice. If you offer to store and save passwords, you need to let me do it under all conditions or don’t offer to do it at all. Don’t selectively do it based on some random flag that’s set without any warning to the user.
Inconsistent Browser Experience
When autocomplete=off is set on a form, there is no warning to the user that this value is set. The browser just doesn’t save the password. You have no idea why, you don’t know what’s going on. You expect the browser to offer to save and it doesn’t. This just makes the browser look broken. And, frankly, it is. If the browser can’t warn that autocomplete=off is set by the site through changing the color of the bar, flashing, an icon or some other warning mechanism (like the lock when https is in use) the user experience has been compromised and the browser is broken. This affects not only Chrome, but IE, Safari and Firefox. Yes, and this is extremely bad browser behavior. It’s also taking a step back in time before web 2.0 when the browser experience became more positive than negative. We’re heading back into negative territory here.
Browser Developers Hear Me
Not warning the user that the experience is about to change substantially is not wanted behavior. For auto-completion, we already have mechanisms to shut it off entirely. We have mechanisms to exclude sites from saving credentials. Why do we need to change the browser experience just to satisfy Wells Fargo or some other site? I’m all for letting these sites set this flag, but just like overriding bad certificates at https sites, users should be able to override autocomplete=off. There is no need to break the browser experience because you want to allow sites stop saving of passwords. No, again, hear me, it’s MY CHOICE. It’s not your choice as a developer. It’s not Wells Fargo’s choice. It’s not PayPal’s choice. It’s MY CHOICE. If I want to save passwords into my browser, allow me t0 always override this setting.
Hacks Galore
Yes, there are browser hacks available as browser extensions (Chrome or Firefox) to disable autocomplete=off on forms on sites. While these hacks work, they require updating, can break on browser updates and can be generally problematic under some conditions. No, this is an issue that firmly needs to be addressed in the core browser, not through clever browser add-on hacks. Let the sites set autocomplete=off, that’s fine. But, warn me that it’s turned on and let me override it. I shouldn’t need a hack to fix a bug in the browser.
Always Warn of Browser Experience Changes
Why am I going down on this issue so hard? Because this is a completely crappy implementation of this feature. Why? Because it breaks the user’s browsing experience without any warning. If this the page is attempting to prevent me from saving credentials, then this information should be marked clearly in the browser somewhere. Perhaps by adding a special icon to the address bar indicating that credential saving is not allowed on this site. Then, when I click that small icon, I should be able to override this behavior immediately. Again, this is my choice to store or not store passwords to the browser. There should never be any defacto security mechanisms which cannot be overridden by a user control. Never!
If the user chooses to do something stupid, that’s the user’s choice. No, it’s not a bank’s, chrome’s or any other company’s responsibility to ensure the safety of user data. It’s entirely the user’s responsibility and those choices should be completely left up to the user to decide, for better or worse.
“This website recommends you do not save your password as doing so may present a security risk. Would you like to save your password anyway, against the advice of the website’s creators?”
How hard is that?
I definitely agree that it’s very simple to place a warning message on the site. It’s also relatively easy to make an icon visible on the browser when a feature is active. Either way, there’s an easy fix here to make this whole deal a much more friendly experience. Definitely need something better that’s for sure.
I’m a Web Developer, and at the moment I am creating a site with a form that has to give some informations through “hidden fields” to the server. It is essential for the website to work that the hidden fields are not autofilled. I was very happy to hear about the autocomplete=off feature, but I experienced it’s not working in the newest version of Chrome.I made many websites that won’t work as long as Chrome prefills HIDDEN input fields, and I am very happy to go through them all and try to fix this issue… So next time better think about the other side before you write something like that…
Hi Michael,
From a user perspective, the browser needs to notify the user that this setting is active. It’s fine if sites want to use autocomplete=off on their site. It’s also fine if I want to override the setting. But, as a browser user, the browser should display and inform to the user that the site has chosen not to allow passwords to be saved. Basically, you experienced exactly what I described, which is that the browsers are broken when it comes to displaying information about this feature. As a developer, you of all people should appreciate when the browser informs you that your setting is working.
What I mean by this is that when this setting is active on a web site, the browser does not inform the user that this setting is active with an icon or by any other means. Instead, when you attempt to enter a user and password, nothing happens and the browser does not prompt to save. Granted, Chrome’s credential storage system is hit-or-miss anyway. That is, sometimes it works to store credentials and sometimes it doesn’t even if the site isn’t using autocomplete=off. This makes Chrome generally broken for user password storage.
However, when autocomplete=off is set, Chrome tells you nothing and offers to save nothing. It just appears broken… and it is. As a developer, you should appreciate that each browser needs to be much more informative to the user when this setting is enabled. Like the lock in the URL bar when using HTTPS, browsers should display an icon showing that autocomplete=off is active on the site. This way, there is no confusion over what the browser is doing (or not doing). As a developer, you should really complain to the browser developers that their browsers are broken when (not) informing users and developers when this feature is in use.
Thanks for your comment.
BTW, I would highly recommend that you only use the release channel of Chrome when testing against the web site you are building. If you are using the beta, dev or any other non-stable channels, there’s no guarantee that any specific features you might be attempting to use aren’t broken. I’ve found that the non-release channels are generally unstable and mostly unsuitable for everyday use. So, you should make sure you have the main release channel installed on your system for testing. Good luck.
Thank you, thank you, thank you for this enlightening post. It saved me from further hours of searching to make autocomplete work “properly.” It is these maddening types of “O” behavior – obdurate, obstinate, obstreperous –
from the overlords that deservedly earn them user hostility. Back off Big Brother this is NOT your call.
This issue ticks me off as well. I am not even using the browser’s auto-complete function. I am using an encrypted password manager to auto-fill the user and password spaces. Thus the “browser security” argument is not a big issue for me. When this functionality (to auto-complete) is shut down, you cannot even do a cut and paste into the password field — only manual typing works. I THINK the reason that some sites implement this feature (which I hate) is due to bots that roam the web trying captured user / pw combos on a variety of sites to see if they can gain access. By not allowing any cut and paste into a particular field, it forces manual typing (from what I understand), thus helping to limit some level of hacking into those sites. While I understand this, I find my most financially critical sites don’t employ this methodology – they use a third required input field, register your computer with a cookie, employ other security measures, etc. What I find is that It’s the smaller, far less critical sites that implement this stupid feature. Which in turn usually encourages me to put in a far easier password, because I don’t want to have to type in some complicated string of letters and numbers which I always use on sites that allow for auto-complete. In the end, I think this only backfires on the companies utilize this silly feature.
I have never observed what you mention here (browsers not allowing to paste password in autocomplete-disabled forms)—maybe it’s some special “feature” of the browser that you are using?
In any case, this certainly wouldn’t keep any bot programmer from doing their work, either by writing a bot that is based on a different browser, or by making it “type” the password instead of pasting it, or by simply writing a standalone bot that doesn’t rely on any browser at all. (In most cases this type of bot is by far the easiest to write.)
I am fully aware of what you’re saying here (in fact, I was already fully aware of it even before reading this somewhat repetitive blog post). But please do look at the comment that I was answering with my comment and you’ll see that the person writing that one actually does claim autocomplete=”off” to disable the well-known copy and paste mechanism.
Hello commorancy, please feel free to delete this comment. It looks a bit silly without your comment that it was referring to and that you just deleted while I was replying. Thanks!
Hi Lars,
I thought your comment was a top-level comment as that’s the way WordPress initially presented it to me in my browser. Only after I loaded the comments page a few times did it show that it was threaded to another author’s comment. I find this frustrating about WordPress.com’s hosted site when trying to put context to comments. It doesn’t always show exactly how comments are threaded until later and it definitely doesn’t show threading in the moderation area.
After seeing your comment in relation to the original comment thread, it makes a lot more sense than when I read it in context to the original article. Sorry for any confusion over my comment.
Thanks.
Does anyone know a good hack for IE to disable autocomplete=”off” i.e. to set it to on for all web pages?
Hi Marc,
I’ve looked for plugins to disable this in IE, but I have been unsuccessful at finding one. If I do find one, I’ll post up a link. In the meantime, I’d suggest using Firefox or Chrome.
Thanks.
I mostly agree, but I envisage one situation where using autocomplete=off actually makes an application better … namely in the context of password reset forms … I don’t find it helpful to have those auto-filled. In the real world applications (often of the backoffice/intranet variety) some user is tasked with application administration, tasks include (re)setting people’s passwords in such as case you would like to show password inputs without the autofill behaviour.
The issue of whether people should be tasked with changing other peoples passwords is another discussion! but in the real world it happens (and clients do request such functionality be built into their apps … even if you don’t agree you cannot always convince them it’s a bad idea)
The fundamental issue is that anything that can be set in a page should be allowed to be overridden by the user. This is the most basic fundamental right that we should be afforded as users. Unfortunately, that may also break potentially useful use cases. As a web programmer, as long as you understand that the user can and will potentially override anything you try to enforce, then those users may have problems. However, if a situation arises in the browser where the user is overriding a setting set by the web developer, then that information should be imparted to the user with a bubble or popup explaining that things on the page could break with the override. As long as the user is told this on page load, they can make the choice to let it override or disable the override for that page load.
Again, it should not be the web developer’s choice that breaks the user’s experience. The user experience should always be controlled and managed by the browser. If the experience is broken by something a web developer can set on a page, then the browser is fundamentally broken. Perhaps I should write a guide on this subject?
I strongly agree with the post. This browser behaviour is very boring.
Hallelujah, Brother! I’m in total agreement with you, at least now that I understand the cause of the problem. This thing bit me in the backside when I created a login at this rinkydink little site run by the school that my kids attend. It took me about half an hour to scope out why FF wouldn’t offer to store my login credentials. I’m willing to waste a little more time overriding these moron’s overreaching security policy.
You mentioned in “Hacks Galore” that there were browser add-ons to address this issue. If you know one that works with Firefox, would you please share it. Thanks.
Thanks for your comment, Bob. Yes, there are Firefox addons. I’ve just installed and tested Remember Passwords 1.0.2 and it does work on Paypal’s site (which has autocomplete=off defined).
Sorry for any confusion if you saw an earlier reply containing Autocomplete Manager. This extension doesn’t work with Firefox 16. So, I’ve tested the one above and it does work with Paypal.
Thanks.
Hi Bob,
I’ve just added the link to the Firefox add-on into the article. Thank for asking to have this information added.
Many thanks!
Pls feel free to remove this note to cut down on the comment clutter…
> It’s not your choice as a developer. It’s not Wells Fargo’s choice. It’s not PayPal’s choice. It’s MY CHOICE. If I want to save passwords into my browser, allow me t0 always override this setting.
Amen, brother. A big regression in the web browsing experience over the last year, IMO.
Maybe if browsers had an automated way to accept a signed, notarized waiver of liability so that a bank etc wouldn’t be on the hook if your account was compromised because you stored your password in your browser.
Yes, that would be great wouldn’t it? Except that the most likely way that your password would be lost or stolen wouldn’t be because it’s saved in your browser. It’s much more likely that your password will be stolen because your system has become infected with a keystroke logger via an email phishing attack that installed spyware, a virus or a trojan. Alternatively, it’s about equally likely that a user will click a phishing link in a convincing email scam that looks like their bank’s emails leading them to a login page that, again, looks like their bank’s login page. This leads the victim to ‘login’ and give the scam artists their login and password credentials. These scenarios are far more likely than losing the password from the browser password storage area.
In other words, protecting your computer from attacks is fundamentally a lot more important than worrying about having stored the password in the browser. Because, once your computer is infected, they won’t be looking at your password cache in the browser. No, they’ll be logging your keystrokes to gather your credit card numbers, account numbers, addresses, social security, birth dates and any other identifying information so they can steal your identity. Worrying about revealing your login and password details through the browser is much less likely than having the computer becoming infected or falling victim to a phishing attack.
With a notebook that can be easily misplaced, lost or stolen, then storing passwords is not a good idea for the same reason as a shared computer. I wouldn’t place sensitive passwords in a notebook’s browser unless the whole hard drive was encrypted to protect from loss or theft. If it’s a desktop and never leaves your house, then it’s not so much a problem as long as you safeguard against attacks. Although, it might be a good idea to encrypt the drive here too.
The only case where storing passwords isn’t recommended is if it’s a shared computer. However, if it is a shared computer, then you shouldn’t be saving any passwords on it, as your computermates will likely dig through your login and password credentials. If at all possible, get your own computer that only you have access to.
If someone loses their password to a phishing scam, that doesn’t make Wells Fargo any more liable than the browser storing the password. In the end, if you’ve lost your money through any kind of attack, Wells Fargo is likely to be partly liable anyway, so the argument is a bit weak.
Note, the fact that any bank sends emails out that can be spoofed by would-be phishing artists likely sets that bank up with a far more liability than worrying whether their password is being stored in the browser.
aww, it was at the very top, I looked everywhere but didn’t see it. Sorry, usually see things signed and dated at the bottom.
Is there a way to understand when you post things? Because without a date, it’s hard to understand if it’s still valid. Otherwise, insanely great post.
Actually, I’m glad you asked this question. While I know you found the answer, it’s good to let others know. There are two ways to see the date of a post. In this theme, it’s in the black bar at the top of each post. The second place is in the URL bar as part of the permalink. I try to keep my posts relevant and up-to-date so they are applicable for quite a while. I also remove posts that are no longer applicable.
Thanks and I am glad this was helpful.